SAC PA Human Subject Research Data Security Review Process - - PowerPoint PPT Presentation

sac pa
SMART_READER_LITE
LIVE PREVIEW

SAC PA Human Subject Research Data Security Review Process - - PowerPoint PPT Presentation

Oct 31, 2022 25 likes •226 views

Computing Services and Systems Development SAC PA Human Subject Research Data Security Review Process Presenter: Scott Weinman, CISSP, CISA, CPA, MBA, MS June 15, 2018 Computing Services and Systems Development Agenda Pitts Journey

slide-1
SLIDE 1

Computing Services and Systems Development

SAC PA

Human Subject Research Data Security Review Process

Presenter: Scott Weinman, CISSP, CISA, CPA, MBA, MS June 15, 2018

slide-2
SLIDE 2

Computing Services and Systems Development

Agenda

  • Pitt’s Journey
  • Current Process
  • Data Security Form
  • Future Process
  • Automate based on risk
  • Takeaways
slide-3
SLIDE 3

Computing Services and Systems Development

Pitt’s Journey

  • 2015 – Pitt CSSD Security was asked to develop a

research security review process by the Institutional Review Board (IRB)

  • Developed a relationship with the Pitt’s IRB
  • Inserted into IRB review process as an ancillary reviewer
  • Continue to refine and automate the process based on risk
slide-4
SLIDE 4

Computing Services and Systems Development

Current Process – Data Security Review

  • Researchers submit a data security form with each study

submission

  • CSSD Security reviews and provides guidance
  • CSSD Security approves once the researcher and Security

agree the appropriate level of controls will be implemented

slide-5
SLIDE 5

Computing Services and Systems Development

Current Process – Data Security Form

  • Word Document divided into 4 sections
  • Identifiers collected and coded
  • Technologies used
  • Storage used
  • Data lifecycle
slide-6
SLIDE 6

Computing Services and Systems Development

Current Process – Data Security Form

  • Identifiers Collected - Identifiers
  • 18 HIPAA

identifiers

  • Other unique

identifiers

slide-7
SLIDE 7

Computing Services and Systems Development

Current Process – Data Security Form

  • Identifiers Collected – Coded
  • Removing all identifiers?
  • Identifiable data stored separately from de-identified?
  • Is the data sensitive?
slide-8
SLIDE 8

Computing Services and Systems Development

Current Process – Data Security Form

  • Technologies Used – Mobile Apps
  • Identifiable data?
  • GPS
  • Registration
  • Other access
  • How protected?
  • Device
  • Access
  • Encrypted
  • Transmitted
  • Vendor Risk

Assessment?

  • Privacy Policy?
slide-9
SLIDE 9

Computing Services and Systems Development

Current Process - Data Security Form

  • Technologies Used – Web based site/survey
  • Identifiable data?
  • How protected?
  • Encrypted
  • Transmitted
  • IP Address
  • Informed

Consent

  • Vendor Risk

Assessment?

slide-10
SLIDE 10

Computing Services and Systems Development

Current Process - Data Security Form

  • Technologies Used – Wearable Device
  • Identifiable data?
  • GPS
  • Registration
  • How protected?
  • Encrypted
  • Transmitted
  • Mobile App

needed?

  • Privacy Policy?
slide-11
SLIDE 11

Computing Services and Systems Development

Current Process - Data Security Form

  • Technologies Used – Electronic Audio,

Photographs, Video

  • Identifiable data?
  • GPS?
  • App used?
  • Sync in the

cloud?

  • Privacy

Policy?

  • Encryption?
  • Physical Security?
slide-12
SLIDE 12

Computing Services and Systems Development

Current Process - Data Security Form

  • Technologies Used – Text Messaging
  • Message

Content

  • Survey?
  • Informed

Consent

slide-13
SLIDE 13

Computing Services and Systems Development

Current Process - Data Security Form

  • Storage Used
  • Identifiable?
  • Storage
  • PC?
  • Server?
  • Cloud?
  • Other?
  • Workstation
  • Anti-virus?
  • Patched?
  • Encrypted?
  • Vendor Assessment?
slide-14
SLIDE 14

Computing Services and Systems Development

Current Process - Data Security Form

  • Data Lifecyle
  • Who will have

access?

  • Who is responsible

for data security? (Principal Investigator)

  • Breach notification

plan in place?

  • Data retention plan

in place?

slide-15
SLIDE 15

Computing Services and Systems Development

Future Process - Data Security Review

  • Data security form is being added into the

IRB application as a web form

– Edit checks to reduce omissions – Based on risk, certain combinations of data type, technologies, and storage locations will be automatically reviewed

slide-16
SLIDE 16

Computing Services and Systems Development

Future Process - Data Security Review Data Security Web Form

  • Upfront questions

created to assist in assessing risk

  • Anonymous
  • Sensitive
  • Added Social

Media

slide-17
SLIDE 17

Computing Services and Systems Development

Future Process – Data Security Review

  • Risk Matrix – Auto Review Criteria
  • Logic was built

to auto review studies with certain data and technology combinations (red)

  • Other studies

will continue to be manually reviewed (green)

slide-18
SLIDE 18

Computing Services and Systems Development

Takeaways

  • Build a relationship between the IRB and

Data Security

  • Become part of the study review workflow
  • Develop a standardized form
  • Take a risk based approach to the reviews
  • Build a relationship with the research

community

slide-19
SLIDE 19

Computing Services and Systems Development

Questions? Contact Information

Scott Weinman University of Pittsburgh Email: sdw37@pitt.edu

slide-20
SLIDE 20

Computing Services and Systems Development

Thank You